Ah, right on time: Hacker-slammed SolarWinds sued by angry shareholders SolarWinds – the network monitoring biz thoroughly hacked as part of a wider espionage operation – has been sued by its shareholders who claim bosses failed to tell them about its numerous security woes. Last month, it emerged the update server used by SolarWinds to distribute its Orion software had been subverted by …
I was thinking of the lack of publicly disclosed evidence pointing to a Russian APT. All of the private sector analysis of the hack I've read so far have refrained from explicitly pointing fingers, while the US cyber security agencies have been steadily beating the "Russia did it" drum.
Don't get me wrong, if anything I wouldn't be pushing for Trump's arguments anytime soon, it's just the lack of telltale procedures or signature coding (usually spotted by the international cyber security community) what gets me suspicious. IIRC Snowden's revelations[1] included (or were related to) an intent of coding to make some threat look as if it was Russian made, when it wasn't.
I might be going into tinfoil hat territory here, but I would wait until more in-depth analysis of the malware pieces surface to build a sure case.
The other thing this notorious event brings out is the lack of international legislation covering state-sponsored intrusions/hacks. It all ends up in a diffuse territory where the affected county doesn't take any punitive actions, outside of indicting a couple of random guys who might never get prosecuted since they won't step out of their sponsoring countries. I guess it's all because everyone at the top hacks left and right without a distinction between friends and foes, and if some sort of clear legislation gets thrown out it might end up being used against them. But still, I think these SpyOps getting so publicly voiced call out for a clearer way to retaliate or answer them.
[1] Could be Mandela effect, not sure about this.
From the link:
"Russia retook control of the Crimean Peninsula". That's a funny way to describe a military invasion of a foreign country.
Looking at the other articles of this website, it can be definitively classed in the 'conspirationist dumbass' category. You owe me 10 minutes of my life to have me read that huge pile of BS.
You sit down at a casino table, drop your money on a random blob, & spin the wheel, throw the dice, take your cards, whatever. You agree to the risks when you sat down & told the table master to include you. You spun the wheel, threw the dice, accepted the cards & the wheel came up a different blob, the dice came up snake eyes, the cards were crap. You lost. Too bad. That's gambling.
What makes you think playing the stock market is any different? Sure the company is supposed to remind you that you're gambling, they did remind you, so if they did their due dilligence then you're shit out of luck. You gambled, you lost, deal with it.
Having said that, IF the company did NOT do it's due diligence THEN you have a case, but as far as TFA indicates they did & you're screwed. It sucks but you need to put your Adult Pants on & deal with it like one.
Considering there's already circumstantial evidence and cover-ups are very common in these circumstances it looks like they're making another value bet that the discovery will turn up something. That's plenty grown up and it's their money to throw at lawyers if they want to.
The 'tell' was that insiders dropped a whole lot of the stock at a decent price before the news hit. The timeline started with the disclosure of the screwup by a security researcher who, if I recall correctly, communicated privately to the company. This happened at least six weeks before the announcement and during that time -- in fact just before the annoucement -- several insiders dropped a considerable amount of stock on the market that was picked up by a Canadian pension fund.
The SEC not only takes a really dim view of insider trading but the pension fund is correct to feel duped. There was ample time to disclose the potential risk to what was a major investor but somehow this got lost in the wash. Investors are used to risk, they just don't like being conned.
At what point does the requirement to deal with security breaches, and notify people in an appropriate manner, get subsumed into the need to tell investors, so that they can dump stock?
It doesn't really matter when the news breaks for investors - the stock is going to dive on the news. So either they wanted to indulge in insider trading, or they think that they would have reacted faster to the news at a different point in time.
I'd suggest that if their stock has dropped that much then it's probably worth investing in.
At what point does the requirement to deal with security breaches, and notify people in an appropriate manner, get subsumed into the need to tell investors, so that they can dump stock?It doesn't really matter when the news breaks for investors - the stock is going to dive on the news. So either they wanted to indulge in insider trading, or they think that they would have reacted faster to the news at a different point in time.
I'd suggest that if their stock has dropped that much then it's probably worth investing in.
The point of notifying investors is not so investors can dump the stock, it's to notify potential stock buyers of the true value of the stock. By not disclosing relevant information that effect the stock price, the company has defrauded those people who purchased stock after the information became available to the company but before they released it.
And it should be noted as mentioned in other comments, apparently some people were informed, as there was suspicious selling activity by some stock holders shortly before the information did come to light, which is an indicator that there was some insider trading going on, which is an indication that the company was indeed aware of these issues far earlier than their public announcements are letting on.
I don't see how this affects investors who invested before the breach - their investment will tank as soon as the breach becomes public. There might be an argument that they could get out before the true impact of the breach is known.
Insiders who know about the breach but hush it up until they can dump their stock will hopefully have to pay for their actions.
New investors who thought they were taking a reasonable gamble without realizing that they had already lost were obviously conned.
Whilst there may be a whole host of other companies to step in to take over this lost business and, yes, SolarWinds may have screwed up with some fundamentals OpSec, I'm not sure suing them out of existence is going to do the world any good.
There would have likely been a reason many of these huge customers chose to use them and not some alternative. At a guess, maybe because they tick more boxes than the competition making them the "best".
Whilst there definitely should be a review of what happened (and i willingly prepare to eat my words), they were the target of a state level attack, there's very little they could probably do to have prevented the attack. What should be happening is learning lessons to make sure that a repeat can't ever happen again and to move on.
To use analogy, it would be like West Bromwich Albion firing Sam Johnstone (according to stats, he is best goalkeeper in Premier league) because they lost 4-0 to Arsenal (also Google it yourself). Maybe, there was nothing in his power he could have done to be better Arsenal were happily dancing around a laughable defense. The team itself should reflect on the situation, not just blame the goaly
Oh, gimme a break! "Maybe, there was nothing in his power he could have done..."? With "solarwinds123" password (1FA) on an update server?
Microsoft and others should drop SolarWinds as a hot potato, immediately. The guys are just plain incompetent.
That's the problem with using third-party software, and by proxy that's the problem with cloud computing in general: you rely on somebody else's competence, which you know nothing about.
> I'm not sure suing them out of existence is going to do the world any good.
Oh yes, it would.
For one, it would discourage anyone thinking about it from using their Certified Piece Of Shit software. For two, any time C-level execs do a massive stock dump before major negative news hits, they inadvertently answer any questions one may have had about securities fraud. For three, SolarWinds had no intentions of disclosing any of this. The disclosure was forced by FireEye, who, as user of SolarWinds' software, was massively penetrated.
Very few details are available - as of yet - about how any of this may have happened, but from the few tidbits that have been made public thus far there is plenty of evidence of negligence and outright reckless incompetence. Hint: setting up development shop in Poland because it's cheap. Cheap it may be, but it's also full of SVR.
> I'm not sure suing them out of existence is going to do the world any good.
Exposing my ignorance that comes from being only half-way knowledgable about how shares work...
Who is actually suing whom here? It sounds like the share holders (company owners) are suing the company ... that they own a share of, which sounds like employing a lawyer to empty your own wallet. Seems like a very dumb way of feeding lawyers.
Surely if it's shareholders saying the company shouldn't have money in its accounts when they've lost money, then can't they just call and EGM and award themselves a massive dividend?
If it is past shareholders effectively wiping value off present shareholders's holdings, then that sounds like:
"While I had some influence over this company it did something dumb. You bought my shares from me so it's now your fault, and you should pay me," and I'd hope the court would throw it out.
If it's shareholders holding the directors responsible for their (in)action, and clawing back the last 10 years of bonuses, stock options and other benefits their mismanagement has earned them, then urm, yes, that sounds very reasonable to me.
I was wondering about this too. These shareholder lawsuits surely can't be as stupid as them effectively suing themselves for damages while suffering further losses from paying for their own lawyers directly and those of the company indirectly? Can anyone enlighten us as to how these actually work?
One possible option is that there might be some sort of indemnity insurance that pays out. So the company loses, the shareholders get recompensed, but the company only loses out to the tune of its excess.
Second option is that if the company loses, the challenging shareholders will find it easier to oust the current chairman and board, and install a new board that they have more confidence in. (The assumption is that the shareholders still think the company is a worthwhile investment, and that they will eventually make their money back, but want a different team in charge.)
"Who is actually suing whom here?"
New shareholders (who bought shares roughly in the last 12 months) are suing the CEO, CFO and company itself because they think there was false reporting of financial information from Feb 2020 onwards. In theory that's to the detriment of shareholders who bought earlier than Feb 2020, or who bought after and don't join the class action, and hadn't yet sold their shares, since if the company has to pay damages/settlement it will come out of the value of their holding. However the allegations are basically against the individuals. I've no idea whether material outcomes for the company itself are even remotely likely, other than hopefully getting new management if the existing ones have been naughty. The representative plaintiff bought just 40 shares, and maybe no one else has or will join him. It seems very speculative so far.
Insider, or likely to be. Somebody (supposedly in Poland) physically worked at the servers location and somehow acquired the password, then they gave (or sold) it to the hackers. At least that's the advertised belief... Here's the thing: "solarwinds123"
O.K., assuming that password was used, how many people had access to that password? They're had to of been many and any 1 of them could be the culprit, so why would it have to be someone in Poland? It does make things pretty plausibly deniable regardless of how simple or complex the password is.
I don't buy any of this, sorry to all that do. To vaguely put it, I think somebody hacked somebody else that hacked something else. Now I do believe it was probably some organization from Russia or where ever that unsanctionedly took the data, but I think Poland is being used as a goat by 2 parties.
Lastly, somebody needs to answer why & how Solarwinds became a known viable entry point to begin with.
What's really frightening about this hack is that no U.S. cyber-intelligence department noticed it. In fact, they may have been unwitting victims themselves.
This really spells disaster for the security of the U.S. government, which has spent countless billions trying to secure its operations, to no avail. Publicly they say that there's no evidence that secret or top-secret information has been leaked, but most likely they simply don't know or are unwilling to disclose if it were the case.
If SolarWinds had put masses of resources and cash into having top quality security and code control systems in place, would probably have been a class action by shareholders moaning that the company was wasting too much money on and their dividends were far smaller than they should be.
well, if they wait, the company might fold (now it probably does, anyway) and they'll see nothing. While, if they do asap (nothing personal, business, right? ;) - they might, just might be quick enough to get something, when the company does buckle and fold under the weight of the lawsuit. That's your fully optimised, nothing-personal business relationship. All goes well, we're pals and our ceos pose for a stupid-grin-honest-handshake photo. Things go to shit - well, nothing personal, but...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
